LimaCharlie
Overview
LimaCharlie is a SecOps Cloud Platform that provides comprehensive visibility into endpoint security and infrastructure operations. It collects and processes various types of telemetry data, including endpoint detection and response (EDR), system logs, network data, and cloud infrastructure logs.
AlphaSOC specifically analyzes DNS query logs from LimaCharlie to detect suspicious domain activity, command and control communication, data exfiltration attempts, and other DNS-based threats. By integrating LimaCharlie DNS logs with AlphaSOC, you can leverage advanced analytics to identify network-based security threats and anomalies in your infrastructure.
Prerequisites
Before integrating LimaCharlie with AlphaSOC, ensure you have the following:
- A LimaCharlie account with administrative privileges.
- A Google Cloud Platform (GCP) account with administrative privilages.
Configuring LimaCharlie to Export Data to AlphaSOC
This guide walks through the process of configuring LimaCharlie to export telemetry data to AlphaSOC using Google Cloud Storage (GCS) as the transport method.
Step 1: Create a Google Cloud Storage Bucket
If you don't already have a GCS bucket for storing LimaCharlie data, create one by following these steps:
- Log into the Google Cloud Console.
- Navigate to Cloud Storage.
- Click Create bucket.
- Enter your bucket information.
- Click Create.
Step 2: Create a Service Account for LimaCharlie
LimaCharlie requires a service account with permissions to write data to your GCS bucket:
- In the Google Cloud Console, navigate to IAM & Admin > Service Accounts.
- Click Create Service Account.
- Enter a service account name (e.g.,
limacharlie-export) and description. - Click Create and Continue.
- Grant the Storage Object Creator role to allow writing to the bucket.
- Click Continue, then Done.
Step 3: Generate Service Account Credentials
- In the service accounts list, click on the action column of the service account you just created, and click Manage keys. Verify you're in the Keys tab of the correct service account.
- Click Add Key > Create new key.
- Select JSON as the key type.
- Click Create to download the JSON key file. Store this file securely, as it contains credentials for accessing your GCS bucket.
Step 4: Configure LimaCharlie Output
- Log into your LimaCharlie console.
- Navigate to Outputs under the DEVELOP section in the left sidebar.
- Click Add Output.
- Choose Events as the output stream.
- Select Google Cloud Storage as the output destination.
- Configure the output with the following settings:
- Click Save Output.
- Verify that the output is active and properly configured to export data to your GCS bucket. When it's done, click All Done.
Step 5: Configure AlphaSOC to Ingest from GCS
Follow AlphaSOC's Google Cloud Storage transport guide to configure AlphaSOC to read and process data from your GCS bucket.
This involves:
- Creating a Pub/Sub topic to receive notifications when files are uploaded.
- Creating a push subscription to forward notifications to AlphaSOC.
- Granting AlphaSOC access to read from your GCS bucket.
- Configuring bucket notifications.
Step 6: Verify Data Flow
After completing the configuration:
- Wait for LimaCharlie to export data to the GCS bucket.
- Verify that files are appearing in your GCS bucket.
- Check the AlphaSOC console to confirm that data is being ingested and processed.
Alternative Transport Methods
While this guide focuses on using Google Cloud Storage, AlphaSOC supports multiple transport methods for data ingestion. Depending on your infrastructure and preferences, you may choose alternative methods such as Amazon S3, Azure Blob Storage, HTTPS, or SFTP.
For a complete list of supported transport methods and their configuration guides, visit the Collecting Data documentation.